Symptoms

During the installation of IIS 6.0 on Windows Server 2003, the setup may throw a message box indicating the following:

Error writing encrypted data to the Web Server's configuration database (Metabase).

0x80090010=Access denied.

Below is the screenshot of the exact error.

Cause

This issue occurs as the Sysocmgr.exe (The EXE for installing Windows components including IIS 6.0) tries to write the encrypted data to the Metabase.xml file. During this process, it looks for the machine key inside the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder. If it cannot find the key then it will try to create the key. During this Key creation process it calls CryptGenKey() method of advapi.dll. This in turn calls the rsaenh.dll (Microsoft’s cryptography service provider (CSP)) for the key creation. In this failing scenario, some 3rd party software had incorrectly registered a different dll (rsabase.dll) as our CSP binary. Rsabase.dll was used in Windows operating systems prior to Windows Server 2003. In Windows Server 2003 and onwards all Microsoft CSPs were merged into rsaenh.dll.

Resolution

1) Unregister rsabase.dll - regsvr32 /u %windir%\system32\rsabase.dll

2) Register rsaenh.dll - regsvr32 %windir%\system32\rsaenh.dll

3) Reinstall IIS

More Information

NOTE: If you select to write all the data unencrypted as per the error message box in the above screenshot (“Write UnEncrypted/All”) then setup may complete but the World Wide Web (WWW) service will not start. So it is not recommended to choose that option.

In IIS6.log file, you will see following entries being logged when you get this error,

[4/12/2010 18:47:14] OC_COMPLETE_INSTALLATION:iis_core:SetAdminACL:(/)Start.
[4/12/2010 18:47:14] OC_COMPLETE_INSTALLATION:iis_core:SetAdminACL:Write the new security descriptor to the Metabase:Start.
[4/12/2010 18:47:14] OC_COMPLETE_INSTALLATION:iis_core:SetAdminACL:  At this point we have already been able to write basic entries to the metabase, so...
[4/12/2010 18:47:14] OC_COMPLETE_INSTALLATION:iis_core:SetAdminACL:  If this has a problem then there is a problem with setting up encryption for the metabase (Crypto).
[4/12/2010 18:47:14] OC_COMPLETE_INSTALLATION:iis_core:WriteSDtoMetaBase:Start.
[4/12/2010 18:47:17] OC_COMPLETE_INSTALLATION:iis_core:WriteSDtoMetaBase:cmdKey():SetData(MD_ADMIN_ACL), dwdata = 84; outpSD = 57682b8, Start
[4/12/2010 18:47:17] OC_COMPLETE_INSTALLATION:iis_core:CMDKey::SetData[/:6027:MD_ADMIN_ACL].
[4/12/2010 18:48:52] OC_COMPLETE_INSTALLATION:iis_core:MyMessageBox: Title:IIS Setup Error, Msg:Error Setting IIS Metabase data.

0x80090010=Access denied.

[4/12/2010 18:48:52] OC_COMPLETE_INSTALLATION:iis_core:!FAIL!
[4/12/2010 18:48:52] OC_COMPLETE_INSTALLATION:iis_core:WriteSDtoMetaBase:cmdKey():SetData(MD_ADMIN_ACL), FAILED. Code=0x80090010.End.
[4/12/2010 18:48:52] OC_COMPLETE_INSTALLATION:iis_core:WriteSDtoMetaBase:End.  Return=0x80090010
[4/12/2010 18:48:52] OC_COMPLETE_INSTALLATION:iis_core:SetAdminACL:Write the new security descriptor to the Metabase:End.
[4/12/2010 18:48:52] OC_COMPLETE_INSTALLATION:iis_core:SetAdminACL(/):End.
[4/12/2010 18:48:52] OC_COMPLETE_INSTALLATION:iis_core:MyMessageBox: Title:IIS Setup Error, Msg:Do you want to retry?
[4/12/2010 18:48:52] OC_COMPLETE_INSTALLATION:iis_core:...ProcessEntry:100=86...
[4/12/2010 18:48:52] OC_COMPLETE_INSTALLATION:iis_core:...ProcessEntry:100=82...
[4/12/2010 18:48:52] OC_COMPLETE_INSTALLATION:iis_core:...ProcessEntry:100=2...
[4/12/2010 18:48:52] OC_COMPLETE_INSTALLATION:iis_core:------------------

Cheers to life!